How The Dark Overlord is costing U.S. clinics big time with ransom demands

A brassy, attention-seeking hacker group that calls itself The Dark Overlord is stealing massive numbers of patient records from U.S. medical and dental clinics and hawking them on the black market or spilling them onto the internet.

The group’s digital rampage hasn’t seized the kinds of headlines that have been devoted to the WannaCry ransomware that’s swept the globe in recent days. But it has had a far greater impact in the United States than the ransomware attack, inflicting heavy – even crippling – costs on small clinics across America.

While the ransomware attack affected few computers in the United States other than those of FedEx, The Dark Overlord has plundered hundreds of thousands of digital health records in the past year from coast to coast. Targets have ranged from a Manhattan cosmetic dental practice to a semi-rural Missouri medical clinic. Only last week, the group posted the patient records of clinics in Florida and California.

The hackers freeze the clinics’ records, then demand payment in bitcoin to return access. If payment is not forthcoming, the records may be released on the internet. On the underground “dark web,” crime groups pay varying rates for what is known as personally identifiable information.

Social Security numbers can fetch about 25 cents each, while credit card numbers might bring $1 to $10, said Robert Lord, chief executive of Protenus, a Baltimore firm specializing in health care cybersecurity. Complete health records can sell for hundreds of dollars each.

While credit cards can be canceled, medical records are largely immutable and provide family history, medications, billing information, medical diagnoses, sexual history and further details.

“They can be used for extremely complex types of fraud,” Lord said, like identity theft, medication and claims fraud, and abusive ad targeting.

“Then of course there is medical blackmail. If you’re a public figure and you have plastic surgery or you’re HIV positive or have a cancer diagnosis . . . you can imagine what that could mean if your records became public,” Lord said.

If a ransom demand is ignored or rejected, The Dark Overlord can be testy.

“This clinic didn’t do anything wrong except annoy us,” a Twitter account for @tdohack3r, which is used by The Dark Overlord, said after releasing 142,414 patient records May 4 from the Tampa Bay Surgery Center, a private outpatient facility. The records included home and work telephone numbers, and in some cases Social Security numbers and addresses.

The country is under siege right now.

Dr. Jay L. Rosen, chief executive of Tampa Bay Surgery Center

“The country is under siege right now,” said Dr. Jay L. Rosen, chief executive of the facility. “It’s a horrible situation.”

No one knows where The Dark Overlord hackers operate from or how large a group it is, only that it is presumably foreign because it uses common British, not American, spellings.

Many corners of the U.S. health care sector are disastrously vulnerable to computer breaches, experts say, and cybercrime groups discovered that medical records can be valuable for fraud, blackmail and extortion.

“Unfortunately, health care’s got a major target painted on its back,” said Lord, the health care sybersecurity expert.

“It was demented,” Fant said. “They were saying, ‘We’re your new best friends. We want to help you.’ ”

The hackers installed malicious code that encrypted the hard drives of the facility’s eight computers, and didn’t listen to appeals about the center’s shoestring budget and its charitable services, which include providing hospice support for the cancer-ridden and offering gasoline cards to help poor patients get to doctors’ appointments.

News of the hack came as the center’s directors were literally sitting down for a board meeting on Jan. 11, Fant said. Text messages pinged in.

We made the decision that we were not going to pay.

Aimee Fant of Cancer Services of East Central Indiana

“They wanted ransom. They wanted 43 bitcoin, which was about $43,000,” Fant said. “We made the decision that we were not going to pay.”

The hackers sent messages suggesting that news of the breach would generate sympathy for the center, and donations would increase beyond what the ransom would cost.

“Their argument was that people would feel sorry for us,” she said.

Little Red Door stood firm – and felt the pain.

“We took a hit. . . . They wiped us out clean. We were completely unable to function,” Fant said. “It took about two months to get back up and running.”

A website that monitors hacks in the health care arena, databreaches.net, tallies at least seven cases by The Dark Overlord of thefts of patient data from medical and dental clinics in the past year. They involve clinics in and around Farmington, Missouri; Anaheim, California; Tampa, Florida; and a dental clinic in New York City.

EDITORS: BEGIN OPTIONAL TRIM

A metro Atlanta clinic, Peachtree Orthopedics, announced last Oct. 1 that 531,000 patient records had been lost to a hack. Last week, a California clinic, Orange County Gastrocare, saw 34,100 files of patient details published on the internet. Both clinics appeared to be Dark Overlord victims.

How many of those breaches were caused by The Dark Overlord is anyone’s guess.

EDITORS: END OPTIONAL TRIM

The hacking group does more than go after health clinics. Late last month, the group stole and released 10 episodes of the fifth season of the Netflix series “Orange Is the New Black” a month before its official premiere. Netflix refused to pay a ransom, so the hackers retaliated.

EDITORS: STORY CAN END HERE

Like outlaws of the Old West, The Dark Overlord seems to thrive on growing fame.

The brand is notorious.

Nick Bilogorskiy, senior director at Cyphort Labs

“They are both technically strong and they’ve got good communication skills,” said Nick Bilogorskiy, senior director of threat operations at Cyphort Labs, a cybersecurity firm in Santa Clara, California. “The brand is notorious.”

“They use very grandiose language and like to draw attention to themselves,” he added.

Some of the group’s targets do not take kindly to the criminal computer intrusions and demands for ransom – and respond with both barrels blazing.

The hackers posted a response on pastebin.com: “Being the good-natured people we are, we contacted the dentistry after we had a copy of their patient records safely in our possession. After notifying them of this fact . . . they suddenly became hostile towards us and using very colourful language, foolishly declined,” said the note signed by @tdohack3r.

“As always, we are open to communication and discussion with all of our valued business partners,” the note said.

Aesthetic Dentistry did not respond to several requests for comment.

EDITORS: STORY CAN END HERE

Everybody’s trying to stay ahead of the hackers.

Dr. Jay L. Rosen of Tampa Bay Surgery Center

Clinics hit by the attacks face mounting bills for legal fees and expert digital forensics to look into how the attacks occurred. Sometimes they have to pay for credit monitoring services for patients whose records became public.

Then the clinics can face a crippling loss of business.

“About 50 percent of individuals affected by a data breach are going to switch away from that clinic in the wake of it. What that means is that (affected clinics can) lose the average lifetime value of that patient,” Lord said.

Rosen, the Tampa outpatient clinic executive, still reels from the attack.

“Everybody’s trying to stay ahead of the hackers,” he said, adding that he hopes authorities can prosecute the digital crime groups.

“Any normal person would like to see them brought to justice,” he said.

The Federal Trade Commission offers advice on how to protect computers from Malware. Malware is short for "malicious software" and includes viruses and spyware installed on your computer or mobile device without your consent. McClatchyFederal Trade Commission